About Me

Reputability are thought leaders in the field of reputational risk and its root causes, behavioural risk and organisational risk. Our book 'Rethinking Reputational Risk' received excellent reviews: see www.rethinkingreputationalrisk.com. Anthony Fitzsimmons, one of its authors, is an authority and accomplished speaker on reputational risks and their drivers.
Reputability helps business leaders to find these widespread but hidden risks that regularly cause reputational disasters. We also teach leaders and risk teams about these risks.
Here are our thoughts, and the thoughts of our guest bloggers, on some recent stories which have captured our attention. We are always interested to know what you think too.

Sunday, 29 September 2013

Two years ago, I asked whether the Civil Service's top mandarins are competent. I discussed two pieces of evidence suggesting that they have a reputation for incompetence among those who deal most closely with them. A third suggested that this reputation is deserved.

Two recent books have brought the subject back into focus. Both consider the role of politicians as well as mandarins. Both are on my reading list on the strength of the experience of the authors and the reviews. Here is a taster based on the reviews. I'll write again when I've read the books.

"Conundrum pitches itself as an examination of the failures of government, but
it is primarily about the failures of government procurement....One of the most interesting areas they cover is the relationship between civil
servants and the politicians who, nominally, oversee them. In my experience,
the majority of career civil servants regard politicians as meddling
dilettantes, while politicians regard most civil servants as obstructive
bureaucrats. It’s pleasing to find Hope and Bacon confirming that view"

The second book is 'The Blunders of our Governments' by Anthony King and Ivor Crewe. The authors are eminent professorial political scientists of an age to have allowed each of them many decades observing the machinery of government.

According to the The Financial Times review by Philip Stephens, the book shatters the delusion of UK public administrators that British government is of 'Rolls Royce' quality. Rather, through a "sometimes grimly entertaining" catalogue of public policy disasters
over the past several decades, the authors show that Britain's public administration is characterised by "predictable and predicted blunders".

Not content with that, the authors explain that blunders are not the same as mistakes.
"Mistakes count as
blunders when they are stupid and careless – driven by some combination
of hubris, laziness, wilful ignorance or sheer incompetence."

Both books appear to assert not only the incompetence of senior civil servants but also of the their political masters of all colours and persuasions. It is no consolation that private sector failures display similar weaknesses, as was demonstrated by 'Roads to Ruin', the Cass Business School report for Airmic.

Is it too much to expect that the Civil Servants' leaders address weaknesses such as these? Sadly, yes. Cognitive biases make it hard for us all to see our own shortcomings, and civil servants and politicians are as human as you and I. Overcoming this weaknesses requires a new attitude.

Until mandarins appreciate that they 'may' - the above authors would say 'do' - lie at the root cause of unacceptable behavioural and organisational risks, they will not allow investigation of their own weaknesses. The signs are that mandarins are still in denial. And it is far too dangerous for their subordinates to enlighten them of their weaknesses. That is why suggestions that the Treasury's Orange Book on risk management needs revision to include behavoural and organisational risks have been ignored.

Once they have achieved acceptance that they may be part of the problem, mandarins will need a new tool. In 'Deconstructing failure - Insights for boards', a report by Reputablity, we proposed a new tool to deal with the parallel weakness in company boards: the Board Vulnerability Evaluation. Adapted to the Civil Service departmental leadership teams, this would help civil service leaders and their political masters to:

identify sources of risk within and outside the leadership that may impair leadership effectiveness, including risks from inadequate information flows to and from the leadership;

analyse the potential consequences of these risks and weaknesses individually, in combination and in combination with other risks;

prioritise action to mitigate these risks;

set risk appetite, and

gain insights as to the extent to which behavioural and organisational risks elsewhere in the organisation need investigation.

It is too often an unnecessary tragedy when a government project fails and the cost falls on the public purse. But it will only be when influential insiders come to recognise the nature and scale of the problem, and their central role in it, that these apparently widespread weaknesses will be addressed.

Wednesday, 11 September 2013

A 'Three lines of Defence' risk management model sounds reassuring, but it contains a flaw.

The model was
implicitly endorsed by the UK's now defunct Financial Services Authority in 2003 and is still characterised as “sound
operational risk governance” by the Basel Committee on Banking Supervision,
failed to prevent the recent financial sector crisis.

‘Three lines of defence’, ubiquitous in financial services
and widespread elsewhere, actually has four layers. Line managers deal with risks as they take
them. Centralised teams monitor and
report on risk to the CEO’s team and to the board.Internal and external auditors should bring
an independent view.And the whole is
overseen by non-executive directors, typically the Audit or Risk Committee.

The Parliamentary Commission on Banking Standards recently
criticised the model, for promoting a ‘wholly misplaced sense of security’,
blurring responsibility, diluting accountability and leaving risk, compliance
and internal audit staff with insufficient status to do their job
properly.They thought much of the system
had become a box-ticking exercise.

The Commission has correctly identified a failure in
implementation of the model, but the model has a deeper, more dangerous flaw
because it takes no account of the evidence on the real root causes of
failures.

Most major institutional disasters lead to an inquiry. But
as Anthony Hilton, the City commentator sagely remarked:-

“Inquiries are rarely the answer
because it is in the nature of inquiries to stop just at the point when they
get interesting; in other words they stop when they have found someone to
blame. Not for nothing did the late management guru Peter Drucker say that too
often the first rule in any corporate disaster was to find a scapegoat. So
inquiries focus on the processes within an organisation until they find some
hapless individual or group who departed from the manual.”

We have been deeply involved in two recent studies of the
root causes of major crises and failures.We were two of the four authors of ‘Roads to Ruin’, the Cass Business
School report for Airmic.More
recently, we doubled the scale of the study, publishing our conclusions as
Reputability’s report ‘Deconstructing failure – Insights for boards’.Taken together these seminal reports dig to
the root causes of over 40 major crises and failures, spread across the
financial and non-financial sectors and involving companies with collective pre-crisis
assets beyond the GDP of the USA.The
reports bring a new, and fundamentally different, insight into why large,
respected companies fail.The patterns
of failure revealed show that the ‘three lines of defence’ model failed because
of a fundamental gap in risk management.

Our breakthrough is the recognition that the root causes of
almost all the crises and failures we studied emerge from normal human
behaviour and the way in which humans are organised and led within firms.We call these previously unrecognised risk
areas ‘Behavioural’ and ‘Organisational’ risks, collectively ‘People’
risks. (Since we wrote this article Andrew Bailey, then Chief Executive of the Bank of
England's Prudential Regulation Authority, put this robustly in his speech on 9 May 2016.)

People risks lie at the root of all the failures studied for
‘Deconstructing failure’ both in the financial sector and outside it.But ‘three lines of defence’ provides no
defence against people risks in general, still less against people risks within
or emanating from the board, because risk management systems don’t go there.Risk management hasn’t yet evolved
systematically to take in people risks, so few risk professionals understand
them; and the most important risks are also too hot to handle because they
emanate from boards.

With these insights it is no surprise that the doctrine
failed to prevent the last banking crisis.Nor will it prevent the next one – or crises in other sectors.

These gaps have to be filled if boards and regulators are to
be able to sleep at night.Two developments
are required. The first is to develop a cadre of risk professionals with skills
in people risks, the main drivers of reputational damage and corporate collapse.

But that will not deal with the issue of vulnerabilities in
or emanating from boards that regularly bring organisations to their
knees.For that, a second development is
essential.Boards need new tools that
will both assess risks in and caused by the board; and help boards to overcome
the cognitive biases that make it hard for all of us to see ourselves as others
can.

In ‘Deconstructing failure’ we recommend a new tool to meet
this need.We call it the ‘Board Vulnerability Evaluation’ (and we have now done the work to develop it).The tool is designed to help chairmen and
their Boards to:-

Systematically understand and identify potential
sources of corporate vulnerability within and outside the board, including people
risks and risks from inadequate information flows to and from the board;

analyse the potential consequences of these
risks and weaknesses individually, in combination and in combination with other
risks;

prioritise and galvanise action where needed to
mitigate these risks;

set risk appetite, and

gain insights as to the extent to which people
risks elsewhere in the organisation need investigation.

It is a tragedy when a respected company fails and the cost
can be catastrophic.Board Vulnerability
Evaluation will give Boards the opportunity to find, prioritise and where
appropriate deal with these unrecognised but potentially devastating risks
before they cause serious harm.